End-of-Shift report
Timeframe: Freitag 09-05-2014 18:00 − Montag 12-05-2014 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
Collabtive folder SQL injection
Collabtive is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the managefile.php script using the folder parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
http://xforce.iss.net/xforce/xfdb/93029
Cobbler kickstart value file include
Cobbler could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request using the Kickstart value when creating new profiles, to specify a malicious file from the local system, which could allow the attacker to obtain sensitive information or execute arbitrary code on the vulnerable Web server.
http://xforce.iss.net/xforce/xfdb/93033
Bitcoin Miner Utilizing IRC Worm
Bitcoin miners have given a new reason for attackers to communicate en mass with infected users. IRC worms are not exactly the most hip way to communicate, but they remain effective at sending and receiving commands. I recently came across several samples which bit coin mining examples leveraging IRC. The malicious binary, once installed, queries for the network shares connected to the
http://feedproxy.google.com/~r/zscaler/research/~3/2xQ7VPxF-ms/bitcoin-miner-utilizing-irc-worm.html
strongSwan Null Pointer Dereference in Processing ID_DER_ASN1_DN ID Payloads Lets Remote Users Deny Service
A vulnerability was reported in strongSwan. A remote user can cause denial of service conditions.
A remote user can send a specially crafted ID_DER_ASN1_DN ID payload to trigger a null pointer dereference and cause the target IKE service to crash.
http://www.securitytracker.com/id/1030209
G Data: Symantecs "Ende der Antivirensoftware" verunsichert Nutzer
Nicht verunsichern lassen und weiter Antivirensoftware kaufen - so lautet ein Aufruf von G Data. Symantec hatte zuvor erklärt, dass nur noch durchschnittlich 45 Prozent aller Angriffe von Antivirensoftware erkannt werden.
http://www.golem.de/news/g-data-symantecs-ende-der-antivirensoftware-verunsichert-nutzer-1405-106381-rss.html
Drupal Flag 7.x-3.5 Command Execution
Topic: Drupal Flag 7.x-3.5 Command Execution Risk: High Text:Drupal Flag 7.x-3.5 Module Vulnerability Report Author: Ubani Anthony Balogun Reported: May 07, 2014 ...
http://cxsecurity.com/issue/WLB-2014050054
Nach Heartbleed: Neues Zertifikat, alter Key
Nach dem Heartbleed-Bug haben viele Administratoren Zertifikate für TLS-Verbindungen ausgetauscht. Viele haben dabei jedoch einen fatalen Fehler begangen: Sie erstellten zwar ein neues Zertifikat, aber keinen neuen Schlüssel. (Technologie, Applikationen)
http://www.golem.de/news/nach-heartbleed-neues-zertifikat-alter-key-1405-106384-rss.html
Backdoor Xtrat Continues to Evade Detection
While reviewing recent reports scanned by ZULU, we came across a malicious report that drew our attention. It was notable as the final redirection downloaded ZIP content by accessing a PHP file on the domain www.stisanic.com. URL:
hxxp://www[.]stisanic[.]com/wp-content/coblackberrycomnotasdevozdate07052014[.]php ZULUs virustotal check scored the file as higher risk. At the time 10
http://feedproxy.google.com/~r/zscaler/research/~3/OqS4L1x6ebQ/backdoor-xtrat-continues-to-evade.html
Link-shortening service Bit.ly suffers data breach
We have reason to believe that Bitly account credentials have been compromised; specifically, users' email addresses, encrypted passwords, API keys and OAuth tokens. We have no indication at this time that any accounts have been accessed without permission. We have taken steps to ensure the security of all accounts, including disconnecting all users' Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login.
http://blog.bitly.com/post/85169217199/urgent-security-update-regarding-your-bitly-account
Falsche Zertifikate unterwandern HTTPS-Verbindungen
Forscher sprechen von signifikantem Teil der verschlüsselten Kommunikation - Vor allem Firewalls und Antivirensoftware verantwortlich
http://derstandard.at/1399507237936
Linux-Kernel: Root-Rechte für Nutzer
Durch einen Fehler im Linux-Kernel kann ein einfacher Nutzer Root-Rechte erlangen. Bekannt ist der Fehler schon seit gut einer Woche, aber jetzt gibt es einen öffentlichen Exploit.
http://www.golem.de/news/linux-kernel-root-rechte-fuer-nutzer-1405-106407-rss.html
Race Condition in the Linux kernel
The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196
Unbekannte bieten 33 Millionen E-Mail-Adressen feil
Das könnte die nächste Spam-Welle auslösen: Unbekannte bieten per E-Mail mehrere Millionen Mailadressen von deutschen Providern zum Kauf an. Angeblich handelt es sich um 100 Prozent gültige Adressen.
http://www.heise.de/security/meldung/Unbekannte-bieten-33-Millionen-E-Mail-Adressen-feil-2187395.html
HPSBST03038 rev.1 - HP H-series Fibre Channel Switches, Remote Disclosure of Information
A potential security vulnerability has been identified with certain HP H-series Fibre Channel Switches. This vulnerability could be exploited remotely to disclose information.
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04277407
Bugtraq: ESA-2014-027: RSA NetWitness and RSA Security Analytics Authentication Bypass Vulnerability
RSA NetWitness and RSA Security Analytics each contain a security fix for an authentication bypass vulnerability that could potentially be exploited to compromise the affected system. When PAM for Kerberos is enabled, an attacker can authenticate to the vulnerable system with a valid user name and without specifying a password. This issue does not affect other authentication methods.
http://www.securityfocus.com/archive/1/532077